Malware Analysis Report

2024-11-13 13:46

Sample ID 240718-kyngxsvcrb
Target nursultan alpha.exe
SHA256 b27372b955d8e6cf46a3d36826511468504f8d58b5f24720351bf85f123cfea5
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b27372b955d8e6cf46a3d36826511468504f8d58b5f24720351bf85f123cfea5

Threat Level: Known bad

The file nursultan alpha.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Downloads MZ/PE file

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 09:00

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 09:00

Reported

2024-07-18 09:03

Platform

win10-20240404-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\PLA\ebf1f9fa8afd6d C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
N/A N/A C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\f3b6ecef712a24 C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Program Files\Windows Defender\Offline\sihost.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Program Files\Windows Defender\Offline\66fc9ff0ee96c2 C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\cmd.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File opened for modification C:\Windows\PLA\cmd.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Windows\PLA\ebf1f9fa8afd6d C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\29c1c3cc0f7685 C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\AgentDriversavesrefmonitor\browserFontdll.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 168 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 168 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 168 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 168 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 168 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 168 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe C:\Windows\SysWOW64\WScript.exe
PID 2108 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe
PID 1932 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\AgentDriversavesrefmonitor\browserFontdll.exe
PID 2572 wrote to memory of 4108 N/A C:\AgentDriversavesrefmonitor\browserFontdll.exe C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 4108 N/A C:\AgentDriversavesrefmonitor\browserFontdll.exe C:\Windows\System32\cmd.exe
PID 4108 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4108 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4108 wrote to memory of 1720 N/A C:\Windows\System32\cmd.exe C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe
PID 4108 wrote to memory of 1720 N/A C:\Windows\System32\cmd.exe C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe

"C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat" "

C:\AgentDriversavesrefmonitor\browserFontdll.exe

"C:\AgentDriversavesrefmonitor\browserFontdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe

"C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xdenisq5.beget.tech udp
RU 5.101.153.31:80 xdenisq5.beget.tech tcp
RU 5.101.153.31:80 xdenisq5.beget.tech tcp
US 8.8.8.8:53 31.153.101.5.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 5.101.153.31:80 xdenisq5.beget.tech tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe

MD5 a732935b7511a789de0a7fe84b991d42
SHA1 b99ae053d5df9684f12da7ad90e6e8a56c9d0b4e
SHA256 b686a1c9ece16e8bf2e95a769128b30c047f14413dadddfc422f288dd6e8aa99
SHA512 e9b249a2419e5dbdd0e9cfd238f1f6e1559bdd1efc0264d52b4f4bb5fa10b128138a54d2060cecab4f62f815fafc952329a1e8377b756fd8178e4f41d87273d1

C:\AgentDriversavesrefmonitor\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat

MD5 fdee2979f8de0e9a4a11bfecb268b97a
SHA1 2cdf74132e975745894a81db47814ff38e43a71c
SHA256 9bf130c323cb7fee0ab32dfdd9e4065ede767babd5f763e96ebbe5f09f577028
SHA512 281be0377447c63debf6d35b52a21c9b193ada7b9c153685cf99963d31dcff89070f167477be99f5fd959be1894bd59725023c1b1c1f5078fadecade14ca7557

C:\AgentDriversavesrefmonitor\browserFontdll.exe

MD5 692f6967406106fc784223f04ec69b8c
SHA1 e6e174a86f9df6041a00d38f2b39506456f60602
SHA256 424468b014466c994112ec496e18fd5d7a693b28b411c0ca52229704cd2ef574
SHA512 14f14d50e76c2c179cb3c2b1ea1861fe0776b8eb7cb5798b277a1bf7fca2cd11e79a3355d28c36130deb4a916e462e314b38b346f7069ca86d765826ff14408f

memory/2572-19-0x00000000007A0000-0x0000000000978000-memory.dmp

memory/2572-20-0x0000000002BA0000-0x0000000002BF6000-memory.dmp

memory/2572-21-0x00000000029D0000-0x00000000029D8000-memory.dmp

memory/2572-22-0x00000000029E0000-0x00000000029E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat

MD5 0f53b12e0a9936a2eae81863bcde8994
SHA1 0e28cff0e08af514fd688cf33cadd0d3b73361e2
SHA256 3616d7adfca2257eb39d813b298a365414423241a4374809c77bfe64a66584b8
SHA512 14ac6d017f6bc061c2ad8839dfe3e93816829305fed7886e930c2b6626aa57d94b642e82a509bce8b701f070e01637a6fb4ac49b2dab3c19e5dec2e2eba4b0ee

memory/1720-40-0x000000001BF20000-0x000000001BF76000-memory.dmp

memory/1720-41-0x0000000001400000-0x000000000141C000-memory.dmp

memory/1720-42-0x0000000001470000-0x00000000014C0000-memory.dmp